'\" t
.TH "SYSTEMD\-CRYPTSETUP\-GENERATOR" "8" "" "systemd 254" "systemd-cryptsetup-generator"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
systemd-cryptsetup-generator \- Unit generator for /etc/crypttab
.SH "SYNOPSIS"
.PP
/lib/systemd/system\-generators/systemd\-cryptsetup\-generator
.SH "DESCRIPTION"
.PP
systemd\-cryptsetup\-generator
is a generator that translates
/etc/crypttab
into native systemd units early at boot and when configuration of the system manager is reloaded\&. This will create
\fBsystemd-cryptsetup@.service\fR(8)
units as necessary\&.
.PP
systemd\-cryptsetup\-generator
implements
\fBsystemd.generator\fR(7)\&.
.SH "KERNEL COMMAND LINE"
.PP
systemd\-cryptsetup\-generator
understands the following kernel command line parameters:
.PP
\fIluks=\fR, \fIrd\&.luks=\fR
.RS 4
Takes a boolean argument\&. Defaults to
"yes"\&. If
"no", disables the generator entirely\&.
\fIrd\&.luks=\fR
is honored only in the initrd while
\fIluks=\fR
is honored by both the main system and in the initrd\&.
.RE
.PP
\fIluks\&.crypttab=\fR, \fIrd\&.luks\&.crypttab=\fR
.RS 4
Takes a boolean argument\&. Defaults to
"yes"\&. If
"no", causes the generator to ignore any devices configured in
/etc/crypttab
(\fIluks\&.uuid=\fR
will still work however)\&.
\fIrd\&.luks\&.crypttab=\fR
is honored only in initrd while
\fIluks\&.crypttab=\fR
is honored by both the main system and in the initrd\&.
.RE
.PP
\fIluks\&.uuid=\fR, \fIrd\&.luks\&.uuid=\fR
.RS 4
Takes a LUKS superblock UUID as argument\&. This will activate the specified device as part of the boot process as if it was listed in
/etc/crypttab\&. This option may be specified more than once in order to set up multiple devices\&.
\fIrd\&.luks\&.uuid=\fR
is honored only in the initrd, while
\fIluks\&.uuid=\fR
is honored by both the main system and in the initrd\&.
.sp
If
/etc/crypttab
contains entries with the same UUID, then the name, keyfile and options specified there will be used\&. Otherwise, the device will have the name
"luks\-UUID"\&.
.sp
If
/etc/crypttab
exists, only those UUIDs specified on the kernel command line will be activated in the initrd or the real root\&.
.RE
.PP
\fIluks\&.name=\fR, \fIrd\&.luks\&.name=\fR
.RS 4
Takes a LUKS super block UUID followed by an
"="
and a name\&. This implies
\fIrd\&.luks\&.uuid=\fR
or
\fIluks\&.uuid=\fR
and will additionally make the LUKS device given by the UUID appear under the provided name\&.
.sp
This parameter is the analogue of the first
\fBcrypttab\fR(5)
field
\fIvolume\-name\fR\&.
.sp
\fIrd\&.luks\&.name=\fR
is honored only in the initrd, while
\fIluks\&.name=\fR
is honored by both the main system and in the initrd\&.
.RE
.PP
\fIluks\&.data=\fR, \fIrd\&.luks\&.data=\fR
.RS 4
Takes a LUKS super block UUID followed by a
"="
and a block device specification for device hosting encrypted data\&.
.sp
For those entries specified with
\fIrd\&.luks\&.uuid=\fR
or
\fIluks\&.uuid=\fR, the data device will be set to the one specified by
\fIrd\&.luks\&.data=\fR
or
\fIluks\&.data=\fR
of the corresponding UUID\&.
.sp
LUKS data device parameter is useful for specifying encrypted data devices with detached headers specified in
\fIluks\&.options\fR
entry containing
"header="
argument\&. For example,
\fIrd\&.luks\&.uuid=\fRb40f1abf\-2a53\-400a\-889a\-2eccc27eaa40
\fIrd\&.luks\&.options=\fRb40f1abf\-2a53\-400a\-889a\-2eccc27eaa40=header=/path/to/luks\&.hdr
\fIrd\&.luks\&.data=\fRb40f1abf\-2a53\-400a\-889a\-2eccc27eaa40=/dev/sdx\&. Hence, in this case, we will attempt to unlock LUKS device assembled from data device
"/dev/sdx"
and LUKS header (metadata) put in
"/path/to/luks\&.hdr"
file\&. This syntax is for now only supported on a per\-device basis, i\&.e\&. you have to specify LUKS device UUID\&.
.sp
This parameter is the analogue of the second
\fBcrypttab\fR(5)
field
\fIencrypted\-device\fR\&.
.sp
\fIrd\&.luks\&.data=\fR
is honored only in the initrd, while
\fIluks\&.data=\fR
is honored by both the main system and in the initrd\&.
.RE
.PP
\fIluks\&.key=\fR, \fIrd\&.luks\&.key=\fR
.RS 4
Takes a password file name as argument or a LUKS super block UUID followed by a
"="
and a password file name\&.
.sp
For those entries specified with
\fIrd\&.luks\&.uuid=\fR
or
\fIluks\&.uuid=\fR, the password file will be set to the one specified by
\fIrd\&.luks\&.key=\fR
or
\fIluks\&.key=\fR
of the corresponding UUID, or the password file that was specified without a UUID\&.
.sp
It is also possible to specify an external device which should be mounted before we attempt to unlock the LUKS device\&. systemd\-cryptsetup will use password file stored on that device\&. Device containing password file is specified by appending colon and a device identifier to the password file path\&. For example,
\fIrd\&.luks\&.uuid=\fRb40f1abf\-2a53\-400a\-889a\-2eccc27eaa40
\fIrd\&.luks\&.key=\fRb40f1abf\-2a53\-400a\-889a\-2eccc27eaa40=/keyfile:LABEL=keydev\&. Hence, in this case, we will attempt to mount file system residing on the block device with label
"keydev"\&. This syntax is for now only supported on a per\-device basis, i\&.e\&. you have to specify LUKS device UUID\&.
.sp
This parameter is the analogue of the third
\fBcrypttab\fR(5)
field
\fIkey\-file\fR\&.
.sp
\fIrd\&.luks\&.key=\fR
is honored only in the initrd, while
\fIluks\&.key=\fR
is honored by both the main system and in the initrd\&.
.RE
.PP
\fIluks\&.options=\fR, \fIrd\&.luks\&.options=\fR
.RS 4
Takes a LUKS super block UUID followed by an
"="
and a string of options separated by commas as argument\&. This will override the options for the given UUID\&.
.sp
If only a list of options, without a UUID, is specified, they apply to any UUIDs not specified elsewhere, and without an entry in
/etc/crypttab\&.
.sp
This parameter is the analogue of the fourth
\fBcrypttab\fR(5)
field
\fIoptions\fR\&.
.sp
It is possible to specify an external device which should be mounted before we attempt to unlock the LUKS device\&. systemd\-cryptsetup will assemble LUKS device by combining data device specified in
\fIluks\&.data\fR
with detached LUKS header found in
"header="
argument\&. For example,
\fIrd\&.luks\&.uuid=\fRb40f1abf\-2a53\-400a\-889a\-2eccc27eaa40
\fIrd\&.luks\&.options=\fRb40f1abf\-2a53\-400a\-889a\-2eccc27eaa40=header=/luks\&.hdr:LABEL=hdrdev
\fIrd\&.luks\&.data=\fRb40f1abf\-2a53\-400a\-889a\-2eccc27eaa40=/dev/sdx\&. Hence, in this case, we will attempt to mount file system residing on the block device with label
"hdrdev", and look for
"luks\&.hdr"
on that file system\&. Said header will be used to unlock (decrypt) encrypted data stored on /dev/sdx\&. This syntax is for now only supported on a per\-device basis, i\&.e\&. you have to specify LUKS device UUID\&.
.sp
\fIrd\&.luks\&.options=\fR
is honored only by initial RAM disk (initrd) while
\fIluks\&.options=\fR
is honored by both the main system and in the initrd\&.
.RE
.SH "SEE ALSO"
.PP
\fBsystemd\fR(1),
\fBcrypttab\fR(5),
\fBsystemd-cryptsetup@.service\fR(8),
\fBsystemd-cryptenroll\fR(1),
\fBcryptsetup\fR(8),
\fBsystemd-fstab-generator\fR(8)
